In conventional application architecture, a set of application processes may be used to implement an application such as an e-commerce web site or a credit transaction processing site. The application may be implemented as a set of independent process, such as a web processing tier, a business logic tier, and a database tier. The number of processes implementing each tier of the application can vary dynamically based on processing load. For example, for a commerce web-site during high-peak times the number of web tier instances will increase, whereas during low activity times the number may be reduced. Furthermore, proper security design suggests that the processes implementing the web tier should not directly communicate with the database processes, as such a safeguard prevents an attacker accessing the web tier that is exposed to the Internet from directly accessing data in the database tier.
In an alternative example, an organization may wish to separate production applications from testing or development environments so that an experiment in the development environment does not impact in the production environment. This form of segmentation, or separation of applications in different environments, is typically implemented through conventional network rules or networking techniques.
One common approach to increasing the security of network-based computer applications is the separation of applications in different networking domains. Applications within a network domain can communicate with each other over the network and for specific network ports, while applications in different domains are restricted in their communication patterns. Segmentation of applications to different trust domains often uses technologies such as Virtual LANs (VLANs) or firewalls to filter traffic based on the source and destination IP addresses and port numbers. In some instantiations, firewalls are dedicated devices in the network, whereas in other instantiations they are part of host systems. In the latter case, a control plane may be used to manage a set of rules used that direct the firewalls. For example, the control plane can associate an application with certain IP addresses and port numbers and populate the corresponding firewall rules every time a new application is instantiated in the network.
There are several problems with these techniques that limit the ability to scale such systems. In a large application deployment, very often application components are instantiated for short periods of time, requiring the control plane to quickly discover new applications and modify all firewall rules in the system to allow specific access for this application.
For example, a set of applications A with cardinality nA communicates with a set of applications B with cardinality nB, and these applications have random IP addresses. Implementing conventional segmentation with firewalls would result in nA×nB firewall rules (essentially a firewall rule between every source and destination). This is inherently an exponentially expanding set that cannot scale to the requirements of modern cloud systems.